How to restrict everyone except a certain group in SSH?

ssh sftp

Solution 1:

If you're using OpenSSH 5.1 or later then it supports Match Group negation.

Assuming the defaults are OK for the admin group, then just change everyone else:

Match Group *,!admin
    X11Forwarding no
    AllowTcpForwarding no
    ForceCommand internal-sftp

There's really no reason to rely on third-party shells to do this kind of job with recent OpenSSH releases.

Solution 2:

I use MySecureShell to limit users to SFTP only connections. I do this for specific users, but I am sure you can configure it to limit by default so the exemption would be for you to give shell access as well.

http://mysecureshell.sourceforge.net/

Solution 3:

What you want is scponly. IF you're running Debian/Ubuntu it's in the repos. Once installed, you just do the following:

$ sudo chsh -s /usr/bin/scponly username

It also allows you to chroot the users.

Alternatively you can do the following:

$ usermod -s /usr/lib/sftp-server username
$ echo '/usr/lib/sftp-server' >> /etc/shells

The first line restricts the user's shell to sftp. The second line is to make sftp-server a valid shell.

As you didn't specify the OS that you are using, I am unable to tailor the commands to your specific needs.

Related

Changing open-files-limit in mysql 5.5
What constitutes "idle" CPU during T2 CPU credit calculation?
Using non-certified hard drives in Dell MD3220 storage array
Setting Out of Office message for someone else
VMware vCenter/ESXi with FreeIPA instead of Active Directory?
How to log the URL scheme (http / https) in Apache?
How can I have puppet only set password when creating a user?
Apache - Redirect to https before AUTH
Postgresql 9.2 "invalid locale name" on Ubuntu 12.04
has my server been hacked w00tw00t.at.ISC.SANS.DFind
How do I determine what the Windows Installer (msiexec) is doing?
Getting SSL certificate chain from jabber server